Commit 007cd223 authored by Prasad J Pandit's avatar Prasad J Pandit Committed by Jason Wang
Browse files

net: rocker: fix an incorrect array bounds check 



While processing transmit(tx) descriptors in 'tx_consume' routine
the switch emulator suffers from an off-by-one error, if a
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
fragments. Fix an incorrect bounds check to avoid it.

Reported-by: default avatarQinghao Tang <luodalongde@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
parent 7d6d347d

hw/net/rocker/rocker.c

+4 −4
Original line number Diff line number Diff line
@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) 
        frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);

        frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);



        if (iovcnt >= ROCKER_TX_FRAGS_MAX) {

            goto err_too_many_frags;

        }

        iov[iovcnt].iov_len = frag_len;

        iov[iovcnt].iov_base = g_malloc(frag_len);

        if (!iov[iovcnt].iov_base) {
@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) 
            err = -ROCKER_ENXIO;

            goto err_bad_io;

        }



        if (++iovcnt > ROCKER_TX_FRAGS_MAX) {

            goto err_too_many_frags;

        }

        iovcnt++;

    }



    if (iovcnt) {